Embargo to Espionage: A Cursory Review of the Shamoon Virus

There has been very little coverage about a new usage of the latest class of cyber-weapons, specifically one dubbed the Shamoon Virus. The most likely reason for this is that it did not affect western interests more so than it did middle-eastern state interests.

Specifically, the sabotage of computers at state oil giant Saudi Aramco and Qatari natural gas producer RasGas, coincidentally a partner with the U.S. oil giant Exxon Mobil; do not appear to have affected oil and gas production.

To bring you up to speed on what the Shamoon Virus is, in a nut-shell, it’s essentially a computer virus that spreads through networked computers with unpatched Windows operating systems and ultimately wipes out files by overwriting them. Amusingly, it sometimes leaves behind an image of a burning American flag (Insert cheesy soap opera music here!).

Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and the Flame malware (Source: TheRegister.com). Remember the Flame virus? It was first discovered on Iranian Oil Ministry computers in the first part of 2012. The sole purpose of the Flame virus is espionage whereas the Shamoon virus, once a system is infected; the virus compiles a list of files from specific locations on the system and sends information about these files back to the attacker. Finally, the virus apparently overwrites the master boot record of the system to prevent it from booting (Yawn!).

While the intended purpose of these attacks was to disrupt oil and gas production which could have an economic affect here in the United States and in other countries dependent on the petroleum supply from the Persian Gulf region, these cyber-attacks do highlight emerging risks to the security of energy supplies in the Persian Gulf region and potentially elsewhere.

Given the fact that the Flame virus was targeted at Iranian state computers, I’d say it is safe to assume that the Shamoon virus is an Iranian state supported creation (Source: RedOrbit.com), or more specifically, a low-tech version of the Flame virus with the sole purpose of striking fear into western interests (More cheesy soap opera music here!).

The real impact I’d suggest is really further isolation of the Iranian state particularly from its neighbors. I’m always amazed at the perpetual squabbling that goes on throughout the region and this is simply another example.

If we examined the traditional investigative process of looking for the means, motive and opportunity in a criminal investigation, we have plenty to go on here that further suggest this is an Iranian state action. First if we consider the means, well, the state has the source code for the original Flame virus. No one else, aside from the original creator, had that code. Second, if I look at the opportunity, this is in abundance and certainly not a stretch to accept. Finally, the motive; what could possibly be the motive here to attack oil and gas producers? Could it be the general vitriol exhibited between the Iranian government and quite possibly every other modern, civilized, state entity in the world? Or, could it be because the European Union inaugurated its embargo on Iranian oil beginning in July 2012, the most wide-reaching impediment to the Iranian economy of the recent sanctions? Did you know that the European Union, as a market, is bigger than the United States? This is really significant for Iran when you consider that oil accounts for 80% of Iran’s total exports.

Who is really responsible may be a mystery; however, a previously unknown group of computer hackers who call themselves the “Cutting Sword of Justice” have claimed responsibility. Sounds more like something from a comic book and given the lackluster effect they should change their name to the “Butter Knife of Uber-Doom” or something like that. Make no mistake about it though; I’m not suggesting we don’t take this event seriously. Eventually the training wheels will come off and these cyber-weapons and cyber-threats will become more of a problem.